[jadmin] jabberd14 'crypt' password storage in postgressql
Michał Minicki
martel at post.pl
Wed Jun 13 03:36:19 CDT 2007
>> I think it can be a big security risk to store passwords in plaintext
>> in the database.
> Where is this paranoia coming from?
Tomasz, let me ask you something. Do you lock your car when you're leaving
it on a closed and secure parking lot? Well, some people go even further by
using steering wheel locks under those circumstances. Shouldn't they trust
parking security and leave their cars open? Now, I wonder where this kind
of "paranoia" is coming from...
> If you do not trust the administrator of the service, do not use the
> service. He will get your password no matter how is it stored. The
> server might just be tampered to store it before hash and compare.
Every security measure can be cracked one way or the other. But it's not an
argument against using them.
I would like to trust my system administrator in keeping my credentials in
a most secure way he is able to use. He's not the only one person who can
get the access to this private data. And even if he is, I feel more at ease
when I know getting the passwords is something complex, which requires more
work than a plain and simple SQL query. Not to mention that running a
man-in-a-middle attacks are much more harder to pull off by using simple
exploits only.
I don't gather. Why do you advocate getting rid of additional security?
Where's the actual benefit in this?
> Tomasz Sterna
--
Martel Valgoerad aka Michal Minicki | martel at aie.pl | http://aie.pl/martel.asc
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Idleness is not doing nothing. Idleness is being free to do anything."
-- Floyd Dell
More information about the JAdmin
mailing list